Change VPN server if the connection goes down

[lko]

Hi,

I have problems with my VPN provider from time to time. Their servers just die or the load goes to 100%.

So I have been thinking of writing a script, which would monitor the connection and if it goes down, it would tear down the current connection and try the next server.

I would be grateful for suggestions how this should be implemented because I am not familiar with the firmware.
For example, I could fill out all the VPN client tabs in the GUI. Then the script would monitor the connection (let's say, ping some well-known stable site) and if it detects that the connection is not working anymore, it could loop over those pre-filled VPN client confgs and try to connect to each at the time until a connection succeeds.

Thank you.

PS. I made a donation to Eric because I love the firmware. If you still haven't, you should.

 

[sone]

This is a great idea!

 

[st3v3n]

lko, welcome to the forum. This is a good idea,if Eric can find time to implement it; unless this is in the proprietary code or section that he has no access to. IMO, if not for his VPN work,Asus routers would have still have the most rudimentary VPN pass-through service. (The old days weren't better)

From reading your well-written description, it looks like you want to automate the transfer in the router from a dropped/disconnected VPN tunnel, and turn on a different pre-configured working tunnel for the same (or a different) VPN provider, much the same as many VPN providers already write into their PC client configs. Are you able to monitor our connection in real-time? We leave the router GUI open to the OpenVPN client page, so that immediately if and when a tunnel drops, we can turn that one off and turn the next config/tunnel on. Above my knowledge/pay grade, but this doesn't seem to be something that is going to be an easy task especially if one utilizes more than one VPN provider. Hope it pans out, cheers.

 

[lko]

Thank you for your replies!

lko, welcome to the forum. This is a good idea,if Eric can find time to implement it; unless this is in the proprietary code or section that he has no access to. IMO, if not for his VPN work,Asus routers would have still have the most rudimentary VPN pass-through service. (The old days weren't better)

Thank you
I have been reading about the firmware and what Eric has been done with it and I agree with you, that's why I also donated, to support his work and give my compliments.
Of course, would be great to see this as an official feature, but I don't expect it. If I could get some pointers, I can write a script and share it with everyone.

From reading your well-written description, it looks like you want to automate the transfer in the router from a dropped/disconnected VPN tunnel, and turn on a different pre-configured working tunnel for the same (or a different) VPN provider, much the same as many VPN providers already write into their PC client configs.

Yes, exactly correct. The tunnel just dies away from time to time, I can see it in the GUI status page when the public IP address is marked as unknown. There was also something in the OpenVPN logs, at least timeout or similar.

Are you able to monitor our connection in real-time?

I was thinking something like pinging Google's DNS server every minute or so, but I could also just read the log files to detect the dropout locally (and without generating useless traffic to other servers ). So this won't be a problem.

I am not looking for a GUI solution, I am much more comfortable on CLI, thank you very much. I was just thinking how to handle the VPN client configurations, because it is OpenVPN I know that I can just use .ovpn config files from my provider. But I don't know how the GUI commands the underlying OpenVPN client, if there is wrapper scripts to provide kill switch and routing options. Those are the things I could use a helping hand with.

Cheers!

 

[CaptainSTX]

I guess almost anything is possible but to make this happen isn't trivial particularly since some of the issues are at the VPN server.

1. If you are using policy based routing then the IP of the device is allready assigned to a tunnel so assigning a device to multiple tunnels may not work.

2. Most VPN providers will only allow a router to have a single connection to any server. If the tunnel is down and the VPN provider hasn'ts kicked the router's IP off then trying to connect again using a different tunnel will not work unless like PIA they have options to connect to several different ports.

3. Many VPN providers will allow you to have up to five seperate devices connected at any one time but in my experience they are not very good at always dropping disconnected devices so it is possible that rapid attempts to reconnect might use up your five possible connections and then the sixth connection attempt would be refused until the VPN server drops some of the connections.

IMHO opinion a more straight forward approach is if the tunnel is down force the router to reboot and if auto connect is on then usually the tunnel is reestablished. I do this on my network by using an IP switch. The IP switch's LAN IP is designated to connect to the Internet using the VPN tunnel. The IP switch is programmed to ping six sites on the WWW every 45 seconds and after multiple failures of all sites the switch cuts the power to my modem and my router. It then powers on the modem and 90 seconds later powers up the router. It will try this a set number of time or infinetly if that is what it wants. Once the connection is established it begins pinging the six sites again.

Someone on this site has probably written a script to do almost the same thing and reboot the router after the VPN tunnel goes down so you could try their script or write your own and see if it is sufficient for your needs.

 

[lko]

I guess I didn't explain myself clearly.
I don't want to have multiple connections at the same time, but only one. I meant that I could preconfigure clients, so they would get connected if the active tunnel goes down.
Shouldn't be too hard, just need to know which commands to use in order to tear down the current tunnel and select next one from the list.
So the script would basically do exactly the same as disabling the current VPN client and enabling next one from the GUI.

Rebooting the router might work or not, but doesn't really sound like a solution, more like a hack.
The VPN provider has an issue that the country config doesn't take downtimes into consideration, so I cannot use it. I have set up VPN client to connect on reboot, but in case the VPN server is down, it won't be able to connect to a working one.

 

[st3v3n]

Iko, good words from Captain. An idea if you'd like to keep an eye on the tunnel dropping without having your router GUI up; if you're running Windows, you might give the Glasswire trial a look. It has a lightweight memory footprint and extremely responsive alerting for everything going through your router. We've used it since it was in beta, it has quite a few useful features depending on which version you need. It can can be hooked into the windows firewall, not as 'the' firewall, but as a control front end of sorts (no idea how that works, since we've always used another firewall solution) for the LAN., It grabs our attention quickly and the dev keeps improving it. Other network monitors tend to be much heavier on resources. Hope that helps; good luck..

 

[rcc344]

Exactly what I would like to see implemented. Using a router based VPN has the drawback of only connecting to one VPN server. Activating the KILL switch works fine to disconnect the clients when the VPN server goes off line, but the issue I experienced last evening was the VPN server reached 100% utilization. Didn't drop connection however the throughput was very poor. Having the ability to "hunt" for a better VPN server would be ideal. Not quite sure how this can be implemented? What would happen if the router connected to two or three VPN servers at the same time, with the same provider at different locations? Eric's version of ASUSWRT is great with five VPN servers able to be configured and the use of policy based routing. The stock ASUS firmware offers nothing.

 

[st3v3n]

Selecting a VPN server in real time requires being able to visualize/monitor all of the service's server loads in real-time, something that telecoms, video streaming companies, ISPs and all major corporations do, and then there's many government agencies, black and otherwise. VPN networks publish a certain level of their approximate loads for some of their popular servers, AirVPN was one. This is what sysadmins and their crews have traditional been responsible for doing at the human level; It's much easier to do with modern network monitoring software, which doesn't have to be terribly costly. Doing something similar with a consumer-level router really stretches the imagination, even if you have plenty of it. It may be possible for mere citizens, someday if VPNs allow one access to their real-time data.

It would be easy enough to build a robust private system capable of monitoring these variables for a given VPN, again -if- the VPN would share their level of data with such a project. That would likely require an NDA, as it's under the heading of 'proprietary' systems and data.

As for doing something of an auto transfer with an Asus router, it didn't used to be possible to run two OpenVPN tunnels from the same service concurrently, even if they used different ports. That was then but now? Some VPNs now multiplex, modulate (or transfer) all customers who sign in using a special software/hardware setup (it's been a long week) to different servers in various geographic locations, to hop or skip unpredictably every so often, or with every click or page request. Many things for enterprising programmers/coders to ponder and develop for VPN aficionados. There are plenty of threads on the forum going back a while which cover different aspects of getting VPN configs to work in harmony on Asus-Merlin. Cheers.

 

[Martineau]

I experienced last evening was the VPN server reached 100% utilization. Didn't drop connection however the throughput was very poor. Having the ability to "hunt" for a better VPN server would be ideal. Not quite sure how this can be implemented?

There are many scripts to allow monitoring/switching between VPN Clients e.g. Move to next VPN client in line if DOWN? but the definition of 'DOWN' varies between scenarios.

If the router is unable to detect and set the appropriate NVRAM variables (which describe the state of the VPN client connection) then the above script will not help as-is, but with a slight tweak (see ChkWAN.sh) you could check the throughput of a given cURL data transfer, and if the throughput is unacceptable try a different OpenVPN server.

 

[lko]

There are many scripts to allow monitoring/switching between VPN Clients e.g. Move to next VPN client in line if DOWN? but the definition of 'DOWN' varies between scenarios.

If the router is unable to detect and set the appropriate NVRAM variables (which describe the state of the VPN client connection) then the above script will not help as-is, but with a slight tweak (see ChkWAN.sh) you could check the throughput of a given cURL data transfer, and if the throughput is unacceptable try a different OpenVPN server.

Thank you for this, I will take a look at your work when I find some time.

Cheers!